Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii


Reported on

Nov 1st 2021


Attacker is able to logout a user if a logged in user visits attacker website.


This vulnerability is capable of forging user to unintentional logout.


Tested on Edge, firefox, chrome and safari.


You should use POST instead of GET/ANY.

To expand:

One way GET/ANY could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" ANYWHERE on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out. This is why it should be a POST with a @csrf token.


While this cannot harm a users account it can be a great annoyance and is considered a valid CSRF.


We have contacted a member of the firefly-iii team and are waiting to hear back a year ago
James Cole validated this vulnerability a year ago
HDVinnie has been awarded the disclosure bounty
The fix bounty is now up for grabs
James Cole confirmed that a fix has been merged on 47fa9e 10 months ago
James Cole has been awarded the fix bounty
web.php#L84 has been validated
to join this conversation